By Suraj Sahu (Vulnerability Research Engineer) and Rahul Kumar (Vulnerability Research Engineer)

Earlier this week, an independent researcher publicly disclosed a severe vulnerability in MySQL. This is a very popular open-source DBMS which is used by many organizations to manage their backend databases and websites. Proof of concept code was provided as part of the disclosure.

This particular vulnerability was designated as CVE-2016-6662, one of two serious flaws that the researcher found. This vulnerability allows an attacker to create the MySQL configuration file without having the privileges to do so, effectively taking over the server. The other assigned as CVE-2016-6663 has not yet been disclosed.

How would an attacker exploit this flaw?

There are two remote vectors that can be used to carry out this attack.

Via an existing SQL injection vulnerability. An attacker can use this to modify the msyqld configuration file or run arbitrary remote code on the database server.

Using the credentials of an authorized user on the MySQL server. This vulnerability could be used to elevate the privileges of the said user.

What’s the vulnerability (CVE-2016-6662)?

There are multiple ways to start a MySQL server. mysqld is the most commonly used daemon, but there is another startup script: mysqld_safe, which is the recommended way to start MySQL server on non-Windows operating systems. As the name implies, mysqld_safe adds some safety features that includes restarting the server when an error occurs and logging runtime information to an error log. mysqld_saf.

This file takes many options similar to those accepted by mysqld. One option —malloc-lib=LIB—can be used to preload a shared library before starting the server. This parameter can be specified in the MySQL configuration file (my.cnf) in a “[mysqld]” or “[mysqld_safe]” section with the parameter name malloc_lib.

Figure 1. malloc-lib option

The problem lies with the privileges that the mysqld_safe script runs with: it executes as the root user. If an attacker can inject a path pointing to their malicious library in the configuration file, then this library will also be preloaded when MySQL starts—with root privileges.

Figure 2. Executing the library

The researcher demonstrated ways to achieve just this, defeating the restrictions imposed on a normal MySQL user.

An attacker with limited access (SELECT/FILE) permissions can create and define the TRIGGER for a database table. When the attacker accesses this table to run any DML (Data Manipulation Language) statement, TRIGGER’s code will be executed with root privileges. This allows a user with fewer privileges to modify the settings as needed.

Figure 3. Defining a TRIGGER

MySQL Versions 5.7.15 and below, 5.6.33, and 5.5.22 are reported affected. As of publishing, Oracle has not yet released any patch.

Trend Micro Solutions

Trend Micro Deep Security™ provides protection to users via the following rule which was released to users via update DSRU16-026 which was released on September 13, 2016:

Security Predictions for 2020

Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.Read our security predictions for 2020.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.